ATM Skimming 101: How It Works, How to Prevent It

U.S. banks lose about $1 billion a year to ATM skimming, and it's said to be growing 10% per year.

Having been peripherally aware of ATM skimming for some time without ever taking the time to understand how it works, we spoke recently with John Pearce, banking and financial advisor at ADT Security Services, to find out more about this type of fraud.

Over a billion dollars annually in losses are attributable to ATM skimming in the U.S., Pearce says, which far outpaces losses from bank robberies. "In each of the last three years, skimming attacks have increased more than 10%, with a total of over 5,000 arrests in the category of ATM skimming in the last four years," he says. "It's growing exponentially among the 250,000 bank-managed ATMs in the U.S. alone."

What is ATM skimming? It's a high-tech crime in which a criminal electronically steals or skims the cardholder's personal financial information during routine ATM transactions. Skimmers fit a portable electronic card reader right over the ATM's card reader slot, to capture the card information. They install mini cameras in the ceiling above the ATM or on the walls or in literature racks beside the ATM to capture the customer's PIN keystrokes. Those two streams of data are transmitted through wireless bluetooth technology to the criminals, who might be sitting around the corner in a coffee shop or in their car 100 yards away downloading all the data, or they're stored and recorded in the devices themselves. "The average cardholder has no knowledge that the skimming device is there because it does not interfere with the operation of the ATM."

Couldn't a security camera detect this activity and send an alert or block it? Video monitoring does provide a terrific benefit in terms of post-crime investigation, Pearce says. It can also deter skimmers thinking about placing a skimming device. But by itself, it doesn't necessarily catch or crack down on skimming.

How long does an ATM skimming attack typically last? The average skimming attack is a short-term occurrence, usually an hour or two, Pearce says. "Criminals understand that in a one to two hour period, they can accumulate an average of $33,000 per incident," he says. "In one to two hours, you'd be surprised how many transactions can take place in a high traffic ATM environment. " It's a migratory crime, he says -- often criminals take their equipment from one ATM and move it to another, working that neighborhood before moving to the next one.

When do they typically happen? At peak transaction times, such as lunch hour or after work.

These people must have a lot of chutzpah, to install these devices in broad daylight at peak traffic times. "They understand human nature, they understand the frequency and use of ATM patterns, and they're very savvy about the use of technology," Pearce says.

What do ATM skimmers do with the data they collect? They sell the personal data resident on the card on the internet black market, Pearce says. They can clone credit cards or clean out debit accounts. Often skimmers will wait a period of time before using the data they've collected.

How long does it typically take the bank to realize what is happening and respond? Banks are getting better at responding. Those that use sophisticated technology will receive an instant notification when skimming is detected. "Banks do have regular programs of inspecting their machines for unusual behaviors and unusual activity in accounts, which can be a tip-off within two to three hours of unusual card activity, but often that's too late to take advantage of prevention technology if the cards have already been skimmed," Pearce says.

What do banks do when they realize one or more of their ATMs have been skimmed? Each bank has its own policies and procedures, but a couple of things will take place automatically, Pearce says. "At certain values of loss, the financial institution's security and risk departments will begin investigations, work with law enforcement locally and federally on investigations, and the card operations group will communicate to cardholders," he says. But these are typically quick, after-the-fact responses. "It's a very difficult crime to prevent," he says.

ADT recommends that banks take a layered approach to protecting their ATMs that includes a video surveillance camera, an alarm/intrusion system, and anti-skim technology that detects the presence of foreign devices placed over an ATM card reader.